Customers who used credit or debit cards at the Barnes & Noble store in the Clifton Commons shopping center on Route 3, or at 62 other Barnes & Noble bookstores nationwide, may have had their credit-card information or personal identification codes stolen, the bookstore chain said Wednesday.

PIN pads, the devices shoppers use at the checkout counter to swipe their credit and debit cards and to enter their personal identification number (PIN) code for debit cards, were tampered with in what New York-based Barnes & Noble is calling "a sophisticated criminal effort" to steal card information.

The FBI is investigating the theft, which apparently was discovered in early September, although Barnes & Noble is not saying how long the tampered PIN pads were in stores. Only one tampered pad was found in each of the 63 affected stores. Three other New Jersey stores, in Edison, Holmdel and Howell, also had tampered pads.

Retail chains such as Michaels Arts and Crafts Stores, and even small downtown merchants with one cash register, have become prime targets for "skimmers" – criminals who plant bugs or other means of capturing data in PIN pads.

"The history's on the side of the criminals at this point as far as their success ratios go," said John South, chief security officer of Princeton-based Heartland Payment Systems, one of the nation's largest processors of credit and debit cards.

South said most of the tampering is difficult to detect. "If a criminal has enough time to open the terminal and install the device that they want to, or if they have a very sophisticated overlay, you may not see it," he said.

Cybercrime and tampering has been shifting from financial services firms to retail merchants in recent years, Tim Keanini, chief research officer for San Francisco-based nCircle, a network security and security performance management firm, said via email. "This is because attackers can make just as much money hacking into retail businesses and, generally speaking, it's easier because financial services businesses have a lot more information security in place."

"After all," Keanini said, "why spend all the time and energy necessary to hack into banks when you can effectively slip your fingers into every consumer's back pocket every time they go shopping?"

Barnes & Noble had removed every PIN pad from its stores by Sept. 14. The company said it delayed notifying customers because of the FBI investigation.

Andrew Storms, director of security operations for nCircle, said the fact that the FBI is involved indicates the breach "is pretty serious," probably involving an ongoing investigation. "Even though less than 1 percent of Barnes & Noble's PIN pads were affected, who knows how many millions of customer transactions were intercepted?" Storms said in an email.

Workers at the Clifton store referred calls to Barnes & Noble headquarters. A company spokeswoman said she could not supply more information about the breach because of the continuing investigation.

The incident parallels a similar card breach at Michaels crafts stores in early 2011, in which locations in 20 states were affected, including stores in Paramus and Clifton.

Retail security specialists blame organized teams of criminals who target chains that have vulnerable PIN pads because empty checkout lanes aren't monitored, giving criminals the opportunity to install the bugs or skimmers that collect the card data. Risk management experts at MasterCard Inc. estimated that it takes criminals only about 30 seconds to remove the card-scanning device from a gasoline pump or other checkout terminal and replace it with an identical device fitted with electronic skimmers.

Retailers have also had to worry about inside jobs, where employees install skimmers, or where workers at the companies that make or install the PIN pads plant the devices.

Heartland Payment Systems makes tamperproof and encryption-enabled systems that fight PIN fraud. The company's E3 system encrypts, or codes, card information as soon as a consumer swipes a card, to prevent card skimming. South said even small merchants, such as local pizza parlors or hair salons with only one cash register, are purchasing tamperproof and encryption systems because of the widespread episodes of card skimming.